>>>>> On Mon, 1 Jun 2009 11:56:06 -0700, Bill Ward <bill@wards.net> said:
BW> Well, you could always launch frequent security updates and track those
BW> downloads I guess :)
No, because most people track them through the OS updates as well...
Many people just wait for the base OS to patch their system expecting
(hoping) that they're rapid in doing so.
Now, imagine if you will trying to coordinate with a bunch of vendors
that pull the package from you and from distributions and then
redistribute it themselves, but silently within their embedded products
(they may not want people to know they're using free (BSD) software).
Now imagine finding a security vulnerability and trying to coordinate
with all of them. Now imagine going to CERT with such a problem and
having them contact a slew of people, some of whom were even direct
commercial competitors to your open source project. Now imagine finding
out that the notification had been sent to so many people that it
actually found in perfect copy in the wild on nasty-people lists but
CERT still didn't want to publish publicly for another month so there
you sit for a month with the bad guys having the notice but all the good
guys don't. This happened to me a little over a year ago and it wasn't
fun. Fortunately, security vulnerabilities have been very rare for me.
But it just goes to show you how impossible it can be to track usage
through everyone that needs update, or worse needs to create updates for
*their* product or distribution. It's a nightmare. I'm certainly not
bitter about it, right?
--
\ Wes Hardaker http://pontifications.hardakers.net /
\_____ "In the bathtub of history the truth is harder to hold than ________/
\_______ the soap, and much more difficult to find." _______/
\_________ -- Terry Pratchett ______________/
\__________________/
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox